Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Anonymous Postmasters Early Warning System (APEWS.ORG) has started

1,023 views
Skip to first unread message

spam...@postmasters.servegame.org

unread,
Jan 12, 2007, 5:27:42 AM1/12/07
to
This will be the first and only public message you will ever read from
us.

APEWS was foundet by some people thinking SPEWS might be dead, but they
did a great job.
We have started with new (plain) zones in SPEWS-Style and just listed
the first areas this days.

There are some significant differences to SPEWS:

While it seems SPEWS was a one man show, APEWS will be maintained by
many operators.
APEWS will invite people we think we must have onboard to join the
operator team.
Please note: You can not contact us - But possibly we will contact you.
If any mail claiming to be from us was received by an IP not resolving
to apews.org then it's faked.

APEWS Level 1 is a RHSBL (lists domains), APEWS Level 2 is a DNSBL
(lists IP's and CIDR's).

If you feel we do anything wrong, post to
news.admin.net-abuse.blocklisting or news.admin.net-abuse.email
starting with subject APEWS followed by the Case-ID.

Listings will escalate faster and deescalate slower than in SPEWS.

We recommend every SPEWS user to use APEWS now.

We will try our best to make you happy. That's a promise.

And now visit http://www.apews.org to find out about details.

Thank you.

--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.

Stephen Satchell

unread,
Jan 12, 2007, 9:04:36 AM1/12/07
to
A set of small suggestions:

1. With each IP address or range listed, include the ASN. (Providing
ASNs for domain names is problematic because domain names are far more
portable than IP addresses.)

2. On your Web page, provide a search by ASN. The result would be a
list of links to actively listed IP addresses or ranges. This enables a
provider who cares to use your Web page to see all listings associated
with his or her ASN.

3. Restrict IP ranges to a single ASN.

-==-

And, of course, this is NANAE so we need the obligatory spelling,
grammar, and content nits.

From the FAQ:

A15: The couase APEWS exists spam (aka: unsolicited bulk email). That is
what APEWS is designed and intended to list, nothing more.

[couase is not a word; looks like someone got nailed by an editor with
bad mouse control]

-==-

Q13: What gives you the right to stop spammers, or anyone for that
matter, from sending you email?
A13: Basic private property rights and basic freedoms to associate with
and not associate with whomever we chose. Our email systems and
mailboxes are our and our client's private property, some of us tried
putting up "no trespassing" signs ("don't spam here" banners), when they
were disregarded we hired the equivalent of a "nightclub bouncer" who
has a list of past trespassers and potential troublemakers we'd rather
not let in. The bouncer is our email/packet filtering software, the list
it uses is called APEWS.

RECOMMENDATION: Make clear in the answer that the "you" in the question
is assumed to be the APEWS operators *only*. Also add that other mail
administrators around the world decide whether or not to consult with
APEWS when making an accept/reject decision. This recommendation is for
an addition, at the beginning of the answer, and not a replacement. I
like the answer, frankly.

Q25: Will APEWS ever list the big corporate spammers?
A25: Yes. If they venture into the pure unsolicited emailing world, or
have an un-managed "affiliate" program that causes spam problems they
will be listed.

RECOMMENDATION: find a good description of "afflilate program" and link
to it.

-==-

Just my pair-o'-pennies.

(By the way, on the assumption that the mail I received last year was an
invitation to join this group, I wish I would have been able to assist.
As the one and only network/mail administrator for $DAYJOB, I already
work too many hours. I'm talking with The Boss about mirroring APEWS,
though.)

Satch


--
A little learning is a dang'rous thing;
Drink deep, or taste not the Pierian spring;
There shallow draughts intoxicate the brain,
And drinking largely sobers us again.
-- Alexander Pope, Essay on Criticism

Roy Bixler

unread,
Jan 12, 2007, 6:34:17 PM1/12/07
to
spam...@postmasters.servegame.org wrote:
> Listings will escalate faster and deescalate slower than in SPEWS.

That's fine, but I hope that it's more of an automated system than was
SPEWS. I know of one listing that remained in SPEWS for years that should
have either been removed or updated. That was enough to make me doubt that
SPEWS was automated as claimed in its FAQ.

Also, here are a few other nits to pick in the FAQ. First, in A26, you may
want to remove the reference to ORDB since it is now defunct. Also, in
A45, what does the following part of the description of the UCEPROTECT list
mean? "They are known to be consequent ..." Do you mean instead to say
"honest", "forthright" or "straightforward"? Also, I would change the
wording "we have seen that they would not even stop for" to "we have seen
that they would even list".

--
Roy Bixler <rcbi...@nyx.net>
The price of seeking to force our beliefs on others is that someday
they might force their beliefs on us.
-- Mario Cuomo

N S

unread,
Jan 13, 2007, 12:16:16 PM1/13/07
to

spamt...@postmasters.servegame.org wrote:
>
> We will try our best to make you happy. That's a promise.
>
> And now visit http://www.apews.org to find out about details.
>

Can you find someone who knows a bit about design to tidy up some of
the pages. A bit of whitespace on the FAQ page would do wonders for
readability.

Cameron L. Spitzer

unread,
Jan 13, 2007, 7:37:17 PM1/13/07
to
In article <1168568974.1...@51g2000cwl.googlegroups.com>, spam...@postmasters.servegame.org wrote:
>
> APEWS was foundet by some people thinking SPEWS might be dead, but they
> did a great job.

While SPEWS did not meet my needs as a block list, I found
it valuable as a reference, and might have used it
in a scoring system some day. I'm glad someone is
picking up the effort.


> There are some significant differences to SPEWS:

There were credible suggestions that SPEWS data and the
unpublished evidence behind it didn't always include time stamps.
While information about particular spammers or spam gangs
may be valuable indefinitely, specifics about their location
and behavior are plausibly rather worthless after three
or four years. I hope APEWS keeps track of when each
listing was made.


> While it seems SPEWS was a one man show, APEWS will be maintained by
> many operators.

I'm in no position to be an operator. But should you for
some reason need a few more spamtraps, I've got some addresses
that were generated by failed attempts at demunging or e-pending
that seem to be on several major spammers' lists. They've
never been published on the Web or on Usenet as far as I know.
They get spam at least daily and have never ever been used for
receiving email. I'd be glad to forward their traffic somewhere.


Cameron
charlie lima sierra at golf romeo echo echo november sierra
dot oscar romeo golf

Shmuel (Seymour J.) Metz

unread,
Jan 13, 2007, 8:40:50 PM1/13/07
to
In <12qfb2p...@news.supernews.com>, on 01/12/2007

at 02:04 PM, Stephen Satchell <use...@satchell.net> said:

>1. With each IP address or range listed, include the ASN.

Listing the ASN for an IP address is a good idea, but I have
reservations about trying it for domains.

>(Providing ASNs for domain names is problematic because domain
>names are far more portable than IP addresses.)

More than problematical. Do you want them to list IP addresses for the
subject domain, which may not even exist, or to list IP address for
every subdomain, which doesn't scale?

>2. On your Web page, provide a search by ASN.

AOL.

>3. Restrict IP ranges to a single ASN.

AOL.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

Shmuel (Seymour J.) Metz

unread,
Jan 13, 2007, 8:41:23 PM1/13/07
to
In <50qr0rF...@mid.individual.net>, on 01/12/2007

at 11:34 PM, Roy Bixler <rcbi...@nyx.net> said:

>That's fine, but I hope that it's more of an automated system than
>was SPEWS. I know of one listing that remained in SPEWS for years
>that should have either been removed or updated.

That's not clear. What's clear is that there should be a policy as to
whether evidence files will be updated when the new evidence is
sensitive, e.g., might compromise spam traps. I'd certainly advise a
random delay before updating the evidence file automatically.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

phil-new...@ipal.net

unread,
Jan 17, 2007, 1:10:40 PM1/17/07
to
On Fri, 12 Jan 2007 14:04:36 GMT Stephen Satchell <use...@satchell.net> wrote:

| 2. On your Web page, provide a search by ASN. The result would be a
| list of links to actively listed IP addresses or ranges. This enables a
| provider who cares to use your Web page to see all listings associated
| with his or her ASN.

There should also be a search by CIDR or IP range. I have not checked
to see if this already exists. Many smaller ISPs don't have ASNs.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-200...@ipal.net |
|------------------------------------/-------------------------------------|

phil-new...@ipal.net

unread,
Jan 17, 2007, 4:29:42 PM1/17/07
to
On Sun, 14 Jan 2007 01:40:50 GMT "Shmuel (Seymour J.) Metz" <spam...@library.lspace.org.invalid> wrote:

| In <12qfb2p...@news.supernews.com>, on 01/12/2007
| at 02:04 PM, Stephen Satchell <use...@satchell.net> said:
|
|>1. With each IP address or range listed, include the ASN.
|
| Listing the ASN for an IP address is a good idea, but I have
| reservations about trying it for domains.

It just wouldn't be applicable to associate an ASN to a domain.
Domains can span ASNs, and an ASN can have many domains. Some
other database could conceivably aggregate which ASNs have some
domain, and which domains are in some ASN. But an ISP can run
an rDNS scan on all their own networks to see what their delegated
rDNS has.


|>(Providing ASNs for domain names is problematic because domain
|>names are far more portable than IP addresses.)
|
| More than problematical. Do you want them to list IP addresses for the
| subject domain, which may not even exist, or to list IP address for
| every subdomain, which doesn't scale?

I think he was referring to listing ASNs for domain names. Certainly
what you are referring to is a hard project. Anyone up for collecting
every rDNS data in IPv4 space and building a big database to search?
Unless someone has tons of resources sitting idle, I don't envision
this ever happening. I do collect rDNS from many allocated spaces that
have an IP that sends me spam. But that's only a small dent in all of
the IPv4 space. Don't even think of doing this for the IPv6 space.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-200...@ipal.net |
|------------------------------------/-------------------------------------|

--

Shmuel (Seymour J.) Metz

unread,
Jan 18, 2007, 8:21:20 PM1/18/07
to
In <1168568974.1...@51g2000cwl.googlegroups.com>, on
01/12/2007

>APEWS Level 1 is a RHSBL (lists domains), APEWS Level 2 is a DNSBL
>(lists IP's and CIDR's).

Where do you see that in the FAQ?

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

E-Mail Sent to this address will be added to the BlackLists

unread,
Jan 19, 2007, 12:43:55 PM1/19/07
to
Shmuel (Seymour J.) Metz wrote:
> spam...@postmasters.servegame.org said:
>> APEWS Level 1 is a RHSBL (lists domains), APEWS Level 2
>> is a DNSBL (lists IP's and CIDR's).
>
> Where do you see that in the FAQ?

It does not seem to be in the FAQ,
try "Email Filtering" <http://apews.org/?page=filter>


--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.

Johann Steigenberger

unread,
Jan 21, 2007, 7:50:16 PM1/21/07
to
In article <Qz8sh.2549$O02....@newssvr11.news.prodigy.net>,
Nu...@BlackList.Anitech-Systems.invalid says...

>
>Shmuel (Seymour J.) Metz wrote:
>> spam...@postmasters.servegame.org said:
>>> APEWS Level 1 is a RHSBL (lists domains), APEWS Level 2
>>> is a DNSBL (lists IP's and CIDR's).
>>
>> Where do you see that in the FAQ?
>
>It does not seem to be in the FAQ,
> try "Email Filtering" <http://apews.org/?page=filter>

Perhaps you guys should read the FAQ A21.

I am not APEWS.

--
Project UCEPROTECT-Network: Join now - It's free - It's consequent
Together we can stop all spammers on this planet!
http://www.uceprotect.net

Dan Harkless

unread,
May 19, 2007, 7:59:16 AM5/19/07
to
APEWS wrote:
>
> If you feel we do anything wrong, post to
> news.admin.net-abuse.blocklisting or news.admin.net-abuse.email
> starting with subject APEWS followed by the Case-ID.

I'm a long-time happy user of SPEWS and then APEWS, but I was very
unhappy today to discover that my netblock had been listed in APEWS:

Sorry 71.133.223.221 is currently listed in APEWS :-(

Entry matching your Query: E-173851
71.128.0.0/11

CASE: C-130
Most abusive ASN and CIDR

History:
Entry created 2007-05-18

My server is hosted from my AT&T static IP address DSL line (about all I
can afford), and I'm an anti-spam activist, I host open source anti-spam
software I've written on my site (with more to come), etc., yet I've
just been tarred as a spammer by what seems like an excessively large
brush. A whole lot of non-spamming small businesses and techies that
prefer to run their own mailservers (e.g. for better spam control) can
no longer send mail to the APEWS-using world.

Presumably AT&T's main outgoing SMTP servers are not blocked, but for
many reasons I prefer to be able to send my email directly from my
server (e.g. to be able to have hard verification that certain mails
reached the recipient servers, to be able to ensure end-to-end SSL
encryption with certain correspondents' servers, etc.).

APEWS folks, would you please consider either removing static IP address
ranges from this block (not sure what they are -- I don't know if AT&T
publishes that info publically), or else adding the ability for
legitimate non-spamming server owners to request removal of their
specific IPs, as many other prominent DNSBLs do?

> We will try our best to make you happy. That's a promise.

I hope you can do something about this. :-( As of right now I'm of
course ceasing use of APEWS, since it incorrectly marks me as a spammer.

--
Dan Harkless
http://harkless.org/dan/

Shmuel (Seymour J.) Metz

unread,
May 20, 2007, 12:36:35 PM5/20/07
to
In <Arv3i.21230$YL5....@newssvr29.news.prodigy.net>, on 05/19/2007
at 11:59 AM, Dan Harkless <use...@harkless.org> said:

>APEWS wrote:

Do you really believe that came from APEWS?

>I'm a long-time happy user of SPEWS and then APEWS,

Then you should understand what they are and what they are not.

>but I was very unhappy today to discover that my netblock had been
>listed in APEWS:

It's not your netblock that's listed.

>My server is hosted from my AT&T static IP address DSL line

A bad neighborhood.

>(about all I can afford),

That's unfortunate, but it's not a reason for APEWS or anybody else to
cut holes in a listing of a rogue provider.

>I'm an anti-spam activist,

You're not listed.

>yet I've just been tarred as a spammer

No you haven't.

>by what seems like an excessively large brush.

It's not the brush that's too large, it's the sewer.

>A whole lot of non-spamming small businesses and techies that prefer
>to run their own mailservers (e.g. for better spam control)

You seem to be confusing inbound and outbound. There's no need to
employ the same host as an inbound MTA and an outbound MSA.

can no longer send mail to the APEWS-using world.

They can still send mail; they simply need to acquire the services of
an MTA in clean IP space.

>Presumably AT&T's main outgoing SMTP servers are not blocked,

I would make no such presumption.

>but for many reasons I prefer to be able to send my email directly
>from my server

You certainly have the right to run a mail client in the IP space you
lease from AT&T[1], but nobody has an obligation to accept traffic
from it.

>APEWS folks, would you please consider either removing static IP
>address ranges from this block

Why would they do that before AT&T cleans up its network? It's more
work for them and more risk for their users.

>as many other prominent DNSBLs do?

Every list has its own policies. Unless you can provide a compelling
reason why the current APEWS policies interfere with achieving their
goals, I don't see why APEWS would consider changing them.

>As of right now I'm of course ceasing use of APEWS,

There is no "of course". You are certainly free to cease using a DNSBL
for whatever reason you wish, but you're hurting only yourself.

>since it incorrectly marks me as a spammer.

No it doesn't; in fact, it doesn't identify you as anything, unless
you own SBC.

[1] I'm using "AT&T" to refer to the entire SBC/SWBELL network, not
just the pieces labelled as AT&T.


--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

Herb Oxley

unread,
May 20, 2007, 4:15:26 PM5/20/07
to
Dan Harkless <use...@harkless.org> wrote:

> I hope you can do something about this. :-( As of right now I'm of
> course ceasing use of APEWS, since it incorrectly marks me as a spammer.

If you're a long time former SPEWS user you should know SPEWS took a
meat-ax approach to spam blocking and APEWS ( and to a lesser extent
UCEPROTECT ) is run along the same lines.

APEWS isn't marking *you* as a spammer, rather the entire 71.128.0.0/11
is considered by APEWS to be too spammy for its users to accept SMTP
connections from that space by default.

Note that SPEWS used /18 as the biggest block.

Those who use APEWS will have to learn how to whitelist "good" senders
such as yourself or they they will lose too much email they
really want to receive.

As I have posted before I think the majority of SPEWS users were
outside the USA, where they would be less likely to receive valid mail
from uSA internet address blocks.


--
Herb Oxley (who practices the Boulder Pledge)

phil-new...@ipal.net

unread,
May 20, 2007, 4:15:56 PM5/20/07
to
On Sat, 19 May 2007 11:59:16 GMT Dan Harkless <use...@harkless.org> wrote:

| APEWS wrote:
|>
|> If you feel we do anything wrong, post to
|> news.admin.net-abuse.blocklisting or news.admin.net-abuse.email
|> starting with subject APEWS followed by the Case-ID.
|
| I'm a long-time happy user of SPEWS and then APEWS, but I was very
| unhappy today to discover that my netblock had been listed in APEWS:

Don't you mean "... discover that my netblock is inside a very large
network range owned by my ISP that got listed in APEWS:" ?


| Sorry 71.133.223.221 is currently listed in APEWS :-(
|
| Entry matching your Query: E-173851
| 71.128.0.0/11
|
| CASE: C-130
| Most abusive ASN and CIDR
|
| History:
| Entry created 2007-05-18
|
| My server is hosted from my AT&T static IP address DSL line (about all I
| can afford), and I'm an anti-spam activist, I host open source anti-spam
| software I've written on my site (with more to come), etc., yet I've
| just been tarred as a spammer by what seems like an excessively large
| brush. A whole lot of non-spamming small businesses and techies that
| prefer to run their own mailservers (e.g. for better spam control) can
| no longer send mail to the APEWS-using world.
|
| Presumably AT&T's main outgoing SMTP servers are not blocked, but for
| many reasons I prefer to be able to send my email directly from my
| server (e.g. to be able to have hard verification that certain mails
| reached the recipient servers, to be able to ensure end-to-end SSL
| encryption with certain correspondents' servers, etc.).

By not being able to afford anything better, you are effectively making
use of spammer subsidized address space. Your ISP could not afford to
provide space to you so cheaply unless:

1. They host some spammers to boost the revenue
2. They ignore complaints about the spammers
3. They drag their feet on shutting down people with botnets
4. They generally underpay and understaff technical departments

All of these things impose a cost burden on everyone else. We pay so you
can save some money? I don't think it should work that way.

Your IP addresses are nestled in amongst some huge spans of generic IP
space. Most DNSBLs still operate by IP address because that is still
what is universally implemented. Maybe APEWS could see fit to break
the huge span right where yours are if their intent is to just block
the real sources of spam at generic address, instead of punishing AT&T
for being such heels in letting the world be spammed from their network.
Maybe. Or maybe not (I don't run APEWS nor have I any clue who does)
due to the fact that it just doesn't scale to do this for everyone.

Yet, the vast majority of the internet is NOT listed. Are all those
users paying more than you are paying to get clean space?


| APEWS folks, would you please consider either removing static IP address
| ranges from this block (not sure what they are -- I don't know if AT&T
| publishes that info publically), or else adding the ability for
| legitimate non-spamming server owners to request removal of their
| specific IPs, as many other prominent DNSBLs do?

I've been considering running a DNSWL. Basically it would be a way to
whitelist certain categories of networks as exceptions to network that
are otherwise blacklisted (generally in larger ranges). Would that be
something that could help in your case? The catch is, I would require
some kinds of documentation that you are who you say your are, and that
your network is operating validly (which, BTW, it is not, if you have
71.133.223.217 through 71.133.223.220, due to the false rDNS), and that
you would sign a statement that you agree to not spam. And to verify
all this, I would require collecting a processing fee (so in reality it
would probably never be implemented).


|> We will try our best to make you happy. That's a promise.
|
| I hope you can do something about this. :-( As of right now I'm of
| course ceasing use of APEWS, since it incorrectly marks me as a spammer.

Why not cease use of AT&T, since it incorrectly believes the world does
not care that their mail serevrs and inboxes abused? Note that this only
means ceasing to use it as an SMTP outbound path. Host a dedicated server
at a clean ISP and use various secure protocol to communicate through it
via that AT&T access line.

Maybe the world wants to cease peering port 25 with AT&T because of that.

It is not "marking you as a spammer". Instead, it is "marking a broad
area of the network as a provider-mismanaged spam-source space".

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-200...@ipal.net |
|------------------------------------/-------------------------------------|

--

E-Mail Sent to this address will be added to the BlackLists

unread,
May 21, 2007, 6:01:54 AM5/21/07
to
Dan Harkless wrote:
> APEWS wrote:
>> If you feel we do anything wrong, post to
>> news.admin.net-abuse.blocklisting or news.admin.net-abuse.email
>> starting with subject APEWS followed by the Case-ID.

I certainly can't see what APEWS may be doing wrong,
the record you mention below seems to indicate that
APEWS is seeing a significant amount of abuse related
to AS7132 , 71.128.0.0/11 .


> I'm a long-time happy user of SPEWS and then APEWS, but I
> was very unhappy today to discover that my netblock had
> been listed in APEWS:
>> Sorry 71.133.223.221 is currently listed in APEWS :-(
>> Entry matching your Query: E-173851 71.128.0.0/11
>> CASE: C-130 Most abusive ASN and CIDR
>> History: Entry created 2007-05-18
>
> My server is hosted from my AT&T static IP address DSL
> line (about all I can afford), and I'm an anti-spam
> activist, I host open source anti-spam software I've
> written on my site (with more to come), etc., yet I've
> just been tarred as a spammer by what seems like an
> excessively large brush.

That CIDR your ISP is responsible for was tarred with
a brush that indicates significant abuse related to
that CIDR.


> A whole lot of non-spamming small businesses and techies
> that prefer to run their own mailservers (e.g. for better
> spam control) can no longer send mail to the APEWS-using
> world.

Except for those whitelisting sources of messages they
want / need / expect.


> APEWS folks, would you please consider either removing
> static IP address ranges from this block (not sure what
> they are -- I don't know if AT&T publishes that info
> publically), or else adding the ability for legitimate
> non-spamming server owners to request removal of their
> specific IPs, as many other prominent DNSBLs do?

Which DNSbls would those be, that are accepting request for
and delisting single IPs inside a BlackListed CIDR
based on requests by an enduser?

I don't see what good that would do, don't you think
e.g. 71.156.118.0/23 would be requesting a delisting,
so their messages would go through?


> I hope you can do something about this. :-( As of right
> now I'm of course ceasing use of APEWS, since it incorrectly
> marks me as a spammer.

Origin: AS7132
Route: 71.128.0.0/11
NetRange: 71.128.0.0 - 71.159.255.255
NetName: SBCIS-SIS80
NetType: Direct Allocation
OrgName: SBC Internet Services
OrgID: SIS-80
NameServers: NS1.PBI.NET , NS2.PBI.NET
Comment: pacbell.net / swbell.net / sbc.com / sbcglobal.net / att.com

CIDR: 71.133.223.216/29
NetRange: 71.133.223.216 - 71.133.223.223
NetType: Reassigned
CustName: Daniel Harkless

Those seeing abuse related to that IP space would likely be
sending messages to e-mail addresses that would be delivered
to your ISP, not you; What does your ISP do when they get
complaints related to that IP space?

It appears that APEWS is holding ATT responsible for the abuse
they are seeing related to AS7132 , 71.128.0.0/11 .

You have not presented any information about how that is wrong.
(That a ISP has some IPs not used for abuse, is not a very
good reason to not hold the ISP responsible for abuse
from other IPs in the AS / Route / Direct Allocation.

If you were using their DNSbls, you certainly must have
been familiar with what they list (very rarely single IPs,
more often CIDRs).

SPEWS, APEWS, and some other IP BlackLists / BlockLists
/ DNSbls seem to hold the Regional Internet Registry's
Directly Allocated ISP responsible for abuse related to
their customers use of the IP space.

{Wack-a-Mole is depreciated.}


FYI, <http://www.spamhaus.org/statistics/networks.lasso>
The 10 Worst Spam Service ISPs As at 20 May 2007
Rank Network Number of Current Known Spam Issues
1 verizon.com 75
2 _ATT.net_ 56 (27 are known professional spam operations)
<http://www.spamhaus.org/sbl/listings.lasso?isp=att.net>
<http://www.spamhaus.org/sbl/sbl.lasso?query=SBL53736>
<http://www.spamhaus.org/sbl/sbl.lasso?query=SBL44049>
<http://www.spamhaus.org/sbl/sbl.lasso?query=SBL51112>*
<http://www.spamhaus.org/sbl/sbl.lasso?query=SBL44050>*
*<http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Charles%20Earle%20IV%20-%20World%20Mail%20Direct>

Origin: AS7132
Route: 71.128.0.0/11
NetRange: 71.128.0.0 - 71.159.255.255
NetName: SBCIS-SIS80
NetType: Direct Allocation
OrgName: SBC Internet Services
OrgID: SIS-80
CIDR: 71.156.118.0/23
NetRange: 71.156.118.0 - 71.156.119.255
NetType: Reassigned
CustName: Performance Marketing

Those links above are in that AS7132 , 71.128.0.0/11 Direct
Allocation to your ISP, I wonder what they will say about
that when you ask them about those, and why they are #2
in SpamHaus top 10 worst ISPs.

Cute rDNS for that 71.133.223.216/29 SWIP
216.223.133.71.in-addr.arpa-> NXDOMAIN
217.223.133.71.in-addr.arpa -> a.example.com -> NXDOMAIN
218.223.133.71.in-addr.arpa -> b.example.com -> NXDOMAIN
219.223.133.71.in-addr.arpa -> c.example.com -> NXDOMAIN
220.223.133.71.in-addr.arpa-> d.example.com -> NXDOMAIN
221.223.133.71.in-addr.arpa -> MX harkless.org -> 71.133.223.221
222.223.133.71.in-addr.arpa -> dumont.harkless.org -> 71.133.223.222
223.223.133.71.in-addr.arpa -> NXDOMAIN
{Just playing with the rDNS PTRs?}

FYI, IANA / ICANN is resolving some example.coms to IPs,
and vise versa, e.g. example.com -> 208.77.188.166
166.188.77.208.in-addr.arpa -> www.example.com
www.example.com -> 208.77.188.166


--
E-Mail Sent to this address <Blac...@Griffin-Technologies.net>


will be added to the BlackLists.

--

Claes T

unread,
May 21, 2007, 8:17:36 AM5/21/07
to

Hi!

Sat, 19 May 2007 11:59:16 GMT, Dan Harkless <use...@harkless.org>
wrote:

>My server is hosted from my AT&T static IP address DSL line (about all I
>can afford), and I'm an anti-spam activist

Please see http://www.spamhaus.org/statistics/networks.lasso

Could you please clarify why you as an anti-spam activist gives your
last dimes to the isp giving more service to spammers then any other
isp but Verizon? Did you at least talk with your kind AT&T salesman
or support about this? What did s/he say? Are they planning to be out
of the top-ten-worst list before summer? Before end of year? (if so,
before end of *what* year?) Before sun (not Sun) dies?

>Presumably AT&T's main outgoing SMTP servers are not blocked, but for
>many reasons I prefer to be able to send my email directly from my
>server (e.g. to be able to have hard verification that certain mails
>reached the recipient servers, to be able to ensure end-to-end SSL
>encryption with certain correspondents' servers, etc.).

If you cant' afford to pay for premium service, maybe you shouldn't
expect to be able to use premium service? Live in the slum, be
treated as someone living in the slum. Not fair, but life isn't.

But perhaps you could talk with some of your anti-spam customers,
asking them to let you smarthost your mail with them, maybe even for
free if they like your software?

>APEWS folks, would you please consider either removing static IP address
>ranges from this block (not sure what they are -- I don't know if AT&T
>publishes that info publically), or else adding the ability for
>legitimate non-spamming server owners to request removal of their
>specific IPs, as many other prominent DNSBLs do?

You ask them to change the part in FAQ Q42/A42 telling you:
"If there is a spam related problem with your host, their IP
address/range will not be removed until it is resolved"?

Well, I could guess they won't change their M.O. to please you, but
time will tell.

>I hope you can do something about this. :-( As of right now I'm of
>course ceasing use of APEWS, since it incorrectly marks me as a spammer.

Of course. But I'm afraid it won't get your mail delivered if *you*
cease to use APEWS, better if you ask the part blocking your mail to
whitelist your IP.

HTH, HAND,
Claes T

Dan Harkless

unread,
May 21, 2007, 2:41:00 PM5/21/07
to
Phil Howard wrote:
> | I'm a long-time happy user of SPEWS and then APEWS, but I was very
> | unhappy today to discover that my netblock had been listed in APEWS:
>
> Don't you mean "... discover that my netblock is inside a very large
> network range owned by my ISP that got listed in APEWS:" ?

Yep.

> By not being able to afford anything better, you are effectively making
> use of spammer subsidized address space. Your ISP could not afford to
> provide space to you so cheaply unless:
>
> 1. They host some spammers to boost the revenue
> 2. They ignore complaints about the spammers
> 3. They drag their feet on shutting down people with botnets
> 4. They generally underpay and understaff technical departments
>
> All of these things impose a cost burden on everyone else. We pay so you
> can save some money? I don't think it should work that way.

I don't agree with your comparison. I believe AT&T's DSL fees are in
line with other DSL and cable Internet providers'. The cost comparison
I'm making is hosting my server on a static IP DSL line vs. co-locating
my server somewhere. I initially looked into that approach but found it
to not be affordable (generally due to non-flat-rate pricing models for
bandwidth). Shared hosting would be affordable, but I don't trust other
people having full access to my server and data.

> Your IP addresses are nestled in amongst some huge spans of generic IP
> space. Most DNSBLs still operate by IP address because that is still
> what is universally implemented. Maybe APEWS could see fit to break
> the huge span right where yours are if their intent is to just block
> the real sources of spam at generic address, instead of punishing AT&T
> for being such heels in letting the world be spammed from their network.
> Maybe. Or maybe not (I don't run APEWS nor have I any clue who does)
> due to the fact that it just doesn't scale to do this for everyone.

I dunno, other DNSBLs are able to make IP exceptions work. It's
generally pretty automated.

> Yet, the vast majority of the internet is NOT listed. Are all those
> users paying more than you are paying to get clean space?

Since I'm not omniscient, I can't really answer that, but my local
providers are Cox cable and AT&T DSL. Last time I looked into it, Cox
didn't support the running of servers. I know it would be possible to
get DSL through another provider and have AT&T just providing the phone
line, but when I had that kind of service in the past (Covad via SBC),
it was a nightmare when there were service problems since Covad and SBC
would just point the finger at each other and I couldn't get the
problems fixed.

> I've been considering running a DNSWL. Basically it would be a way to
> whitelist certain categories of networks as exceptions to network that
> are otherwise blacklisted (generally in larger ranges). Would that be
> something that could help in your case? The catch is, I would require
> some kinds of documentation that you are who you say your are, and that
> your network is operating validly (which, BTW, it is not, if you have
> 71.133.223.217 through 71.133.223.220, due to the false rDNS), and that
> you would sign a statement that you agree to not spam. And to verify
> all this, I would require collecting a processing fee (so in reality it
> would probably never be implemented).

I would be supportive of that if the processing fee were reasonable. I
don't think senderscorecertified.com's $400 application fee for
non-profit organizations is reasonable.

> Why not cease use of AT&T, since it incorrectly believes the world does
> not care that their mail serevrs and inboxes abused? Note that this only
> means ceasing to use it as an SMTP outbound path. Host a dedicated server
> at a clean ISP and use various secure protocol to communicate through it
> via that AT&T access line.

It's sounding like that's the only option, if APEWS won't consider an
exception mechanism. I just hope I don't go down that road, spend a
bunch of money, get into a contract, and then find that APEWS is
blocking me again because they've decided *that* provider has too many
spammers in the neighborhood. Perhaps I'll wait and gauge how wide the
use of APEWS is by how often my mails start getting blocked now (of
course I'll probably have a lot of mail just get sent quietly into junk
mail folders based on APEWS-influenced scoring, and won't generally have
a way to distinguish whether those correspondents have just been too
busy to reply or didn't get my email in their inboxes).

--

Shmuel (Seymour J.) Metz

unread,
May 21, 2007, 6:29:54 PM5/21/07
to
In <1um4i.22816$JZ3....@newssvr13.news.prodigy.net>, on 05/21/2007

at 06:41 PM, Dan Harkless <use...@harkless.org> said:

>I dunno, other DNSBLs are able to make IP exceptions work.

No. Specifically, DNSBL's with policies similar to those of APEWS and
SPEWS are unable to make IP exceptions work without violating the
policies. Your problem is one of goals, not one of technical means. If
you don't want an early warning system, don't use one, but don't whine
that an early warning system is implemented as an early warning
system.

>It's sounding like that's the only option, if APEWS won't consider
>an exception mechanism.

Even if they did, how would APEWS prevent someone from blocking that
network locally. AT&T is a bad neighborhood, and that would cause you
problems even without their being listed on APEWS.

>and then find that APEWS is blocking me again

APEWS is not blocking you. Even had APEWS concealed AT&T's behavior,
the people blocking you would have eventually become aware of it.

>Perhaps I'll wait and gauge how wide the use of APEWS is by how
>often my mails start getting blocked now

The data people use for blocking decisions are from more sources than
just APEWS.

>(of course I'll probably have a lot of mail just get sent quietly
>into junk mail folders based on APEWS-influenced scoring,

There is no "of course". Why do you believe that the people using
APEWS are dropping suspect messages instead of issuing a proper 5yz
response? I'd say that it's more likely that your e-mail software is
failing to pass the response on to you.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

phil-new...@ipal.net

unread,
May 21, 2007, 7:08:06 PM5/21/07
to
On Mon, 21 May 2007 18:41:00 GMT Dan Harkless <use...@harkless.org> wrote:
| Phil Howard wrote:

|> By not being able to afford anything better, you are effectively making
|> use of spammer subsidized address space. Your ISP could not afford to
|> provide space to you so cheaply unless:
|>
|> 1. They host some spammers to boost the revenue
|> 2. They ignore complaints about the spammers
|> 3. They drag their feet on shutting down people with botnets
|> 4. They generally underpay and understaff technical departments
|>
|> All of these things impose a cost burden on everyone else. We pay so you
|> can save some money? I don't think it should work that way.
|
| I don't agree with your comparison. I believe AT&T's DSL fees are in
| line with other DSL and cable Internet providers'. The cost comparison
| I'm making is hosting my server on a static IP DSL line vs. co-locating
| my server somewhere. I initially looked into that approach but found it
| to not be affordable (generally due to non-flat-rate pricing models for
| bandwidth). Shared hosting would be affordable, but I don't trust other
| people having full access to my server and data.

I believe you will find that pretty much all DSL and cable providers
fall into the same category: they skimp on costs they should bear the
burden for, as I detailed, which passes those costs on to the victims
of the abuses from their network they fail to control.

I share your concern about shared hosting. I wouldn't go that route.
But somehow you need to move up out of the rut you are in, and it is
very likely that no DSL/cable options will achieve that.

How much of your traffic is outbound email? Another option, if that
traffic level is smaller, is to get an ISDN or dialup service from a
different provider. Otherwise, finding a colocation or dedicated
hosting provider remains your big option.

I'm not expecting any lists that list big provider blocks to be cutting
any holes. If they do, they would have to for everyone else who makes
the same claims as you do, and there is a huge list of that. They would
end up having to expend a huge cost burden to carry out verifications of
such requests. Charging to be exempted from such a listing would sure
be seen as a conflict of interest, and possibly illegal. Otherwise it
is just entirely impractical to do that.

What I am doing with my own lists (not publically available right now)
is listing by domain NAME, rather than IP address. The effect of such
a list is that your correctly rDNS'd addresses would not be affected
unless and until your own domain somehow got listed. If those who have
the resources to operate a worldwide public DNSBL were convinced to run
a list that used names like that, maybe it would become more popular
to use instead of lists based on IP address. So maybe you might want
to take the position of supporting that concept.


|> Your IP addresses are nestled in amongst some huge spans of generic IP
|> space. Most DNSBLs still operate by IP address because that is still
|> what is universally implemented. Maybe APEWS could see fit to break
|> the huge span right where yours are if their intent is to just block
|> the real sources of spam at generic address, instead of punishing AT&T
|> for being such heels in letting the world be spammed from their network.
|> Maybe. Or maybe not (I don't run APEWS nor have I any clue who does)
|> due to the fact that it just doesn't scale to do this for everyone.
|
| I dunno, other DNSBLs are able to make IP exceptions work. It's
| generally pretty automated.

How do they verify that a request for exception is valid (e.g. does not
meet the criteria that the rest of the large enclosing subnet does meet)?


|> Yet, the vast majority of the internet is NOT listed. Are all those
|> users paying more than you are paying to get clean space?
|
| Since I'm not omniscient, I can't really answer that, but my local
| providers are Cox cable and AT&T DSL. Last time I looked into it, Cox
| didn't support the running of servers. I know it would be possible to
| get DSL through another provider and have AT&T just providing the phone
| line, but when I had that kind of service in the past (Covad via SBC),
| it was a nightmare when there were service problems since Covad and SBC
| would just point the finger at each other and I couldn't get the
| problems fixed.

That's a common problem for sure. DSL doesn't fall under the same
requirements to provide reliable service as T1 (including fractional)
does. But T1 is also more expensive. And if it comes from the same
provider (such as AT&T) you may be no better off at the IP provisioning
stage.


|> I've been considering running a DNSWL. Basically it would be a way to
|> whitelist certain categories of networks as exceptions to network that
|> are otherwise blacklisted (generally in larger ranges). Would that be
|> something that could help in your case? The catch is, I would require
|> some kinds of documentation that you are who you say your are, and that
|> your network is operating validly (which, BTW, it is not, if you have
|> 71.133.223.217 through 71.133.223.220, due to the false rDNS), and that
|> you would sign a statement that you agree to not spam. And to verify
|> all this, I would require collecting a processing fee (so in reality it
|> would probably never be implemented).
|
| I would be supportive of that if the processing fee were reasonable. I
| don't think senderscorecertified.com's $400 application fee for
| non-profit organizations is reasonable.

That seems a bit high to me. But I don't know what they do with it.
How well recognized are they in the anti-spam community? Can anyone
use a DNS based service from them for free?


|> Why not cease use of AT&T, since it incorrectly believes the world does
|> not care that their mail serevrs and inboxes abused? Note that this only
|> means ceasing to use it as an SMTP outbound path. Host a dedicated server
|> at a clean ISP and use various secure protocol to communicate through it
|> via that AT&T access line.
|
| It's sounding like that's the only option, if APEWS won't consider an
| exception mechanism. I just hope I don't go down that road, spend a
| bunch of money, get into a contract, and then find that APEWS is
| blocking me again because they've decided *that* provider has too many
| spammers in the neighborhood. Perhaps I'll wait and gauge how wide the
| use of APEWS is by how often my mails start getting blocked now (of
| course I'll probably have a lot of mail just get sent quietly into junk
| mail folders based on APEWS-influenced scoring, and won't generally have
| a way to distinguish whether those correspondents have just been too
| busy to reply or didn't get my email in their inboxes).

Find a provider that fully understands APEWS (and SPEWS). Talk with the
candidate providers about this and see what they say. Be sure to avoid
those who say things like "we can't control who lists us where" as that
can either be weasling to avoid a commitment they know they cannot make,
or just plain ignorance about the whole issue. Ask for a contract that
states that during any time either your IP space, or any other space at
least /24 in size, is listed in APEWS (or any other list you itemize and
agree to in the contract), then you cost is reduced to some substantially
low percentage, and the contract cannot be terminated early by them during
that period (unless they can show you were the spammer, which we assume
is something they will never be able to do).

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-200...@ipal.net |
|------------------------------------/-------------------------------------|

--

Dan Harkless

unread,
May 21, 2007, 9:40:22 PM5/21/07
to
Shmuel (Seymour J.) Metz wrote:
> >I dunno, other DNSBLs are able to make IP exceptions work.
>
> No. Specifically, DNSBL's with policies similar to those of APEWS and
> SPEWS are unable to make IP exceptions work without violating the
> policies. Your problem is one of goals, not one of technical means. If
> you don't want an early warning system, don't use one, but don't whine
> that an early warning system is implemented as an early warning
> system.

The way "early warning system" is described on both the SPEWS and APEWS
websites is:

Most spam advisory and blocking systems work after the fact. There
is a time lag between the spammer setting up shop, spamming
millions, and getting netblocks listed by these systems. [AS]PEWS
identifies known spammers and spam operations, listing them as soon
as they start, sometimes even before they start spamming.

The AT&T /11 that's just been listed is not a "known spammer [or] spam
operation". If the policy of APEWS is now to block huge ISP netblocks
because they aren't tough enough on certain spamming customers within
that range, the description of APEWS should really be updated to reflect
that, so people are not misled as to the level of false positives
they'll be getting.

> >It's sounding like that's the only option, if APEWS won't consider
> >an exception mechanism.
>
> Even if they did, how would APEWS prevent someone from blocking that
> network locally. AT&T is a bad neighborhood, and that would cause you
> problems even without their being listed on APEWS.

The only DNSBLs I've found myself on until APEWS were "dynamic IP" lists
that allowed me to put in an exception for my server's (static) IP, and
Earthlink's in-house blocklist, which also allowed me to get an
exception put in.

> >Perhaps I'll wait and gauge how wide the use of APEWS is by how
> >often my mails start getting blocked now
>
> The data people use for blocking decisions are from more sources than
> just APEWS.

Yes, and hopefully I won't get too many rejections from crappy setups
that don't specify what list your IP address was found on to cause your
mail to be blocked.

> >(of course I'll probably have a lot of mail just get sent quietly
> >into junk mail folders based on APEWS-influenced scoring,
>
> There is no "of course".

Sorry, but once again, yes there is an "of course".

> Why do you believe that the people using APEWS are dropping suspect
> messages instead of issuing a proper 5yz response? I'd say that it's
> more likely that your e-mail software is failing to pass the response
> on to you.

I'm speaking hypothetically, so your blaming my email software is rather
comical, but I assure you I would be aware of it if any of the software
I use were blocking a bounce. I've contributed code to my mail client
(nmh -- was also the project maintainer for awhile), my mailserver
(sendmail), and the sendmail milters I use. I'm not some idiot who
doesn't know what he's doing -- sorry.

In any case, I didn't say anything about suspect messages being dropped
(although no doubt some people do that as well). I said some of them
will probably get scored based partially on APEWS records and be
automatically filed into people's junk mail folders, where they'll not
likely ever be discovered.

You're arguing against a parenthetical side remark that isn't really
relevant to the overall discussion, BTW.

--

Stephen Satchell

unread,
May 22, 2007, 6:06:32 AM5/22/07
to
Dan Harkless wrote:
> The cost comparison
> I'm making is hosting my server on a static IP DSL line vs. co-locating
> my server somewhere. I initially looked into that approach but found it
> to not be affordable (generally due to non-flat-rate pricing models for
> bandwidth). Shared hosting would be affordable, but I don't trust other
> people having full access to my server and data.

I'll be blunt: you haven't look hard enough, then.


--
A little learning is a dang'rous thing;
Drink deep, or taste not the Pierian spring;
There shallow draughts intoxicate the brain,
And drinking largely sobers us again.
-- Alexander Pope, Essay on Criticism

--

use...@harkless.org

unread,
May 22, 2007, 6:07:48 AM5/22/07
to
[Didn't receive a robomoderation "RECEIVED" message for this post (or
anything else). Trying again.]

Shmuel (Seymour J.) Metz wrote:

> >APEWS wrote:
>
> Do you really believe that came from APEWS?

Yes. Why would someone fake an "Anonymous Postmasters Early Warning
System (APEWS.ORG) has started" announcement that gets the facts right
and makes no suspicious claims? To believe that didn't come from them
(or a designated proxy for them) would require a ridiculous and
unjustified level of paranoia.

> >but for many reasons I prefer to be able to send my email directly
> >from my server
>
> You certainly have the right to run a mail client in the IP space you
> lease from AT&T[1], but nobody has an obligation to accept traffic
> from it.

I never said anything about obligation. I was just hoping APEWS would
consider a mechanism to allow exceptions in the giant netblocks
they're
marking as spam sources.

> >as many other prominent DNSBLs do?
>
> Every list has its own policies. Unless you can provide a compelling
> reason why the current APEWS policies interfere with achieving their
> goals, I don't see why APEWS would consider changing them.

Their goals include wanting people to find them a useful anti-spam
DNSBL
without an unusable level of false positives. I used to consider them
to be that, but as of now, do no longer. I would imagine some others
(if not those folks who responded to my post in this group) may now
feel
the same, considering they're now listing huge /11 networks.

> >As of right now I'm of course ceasing use of APEWS,
>
> There is no "of course". You are certainly free to cease using a DNSBL
> for whatever reason you wish,

Yes, there is an "of course" -- if I feel they're taking way too blunt
an approach by listing a /11 that I fall into, then of course I won't
want to use them any longer for my anti-spam needs either.

> but you're hurting only yourself.

I don't use DNSBLs with an unreasonably high level of false positives
--
it would hurt me more to keep using APEWS at this point than to stop.

--

use...@harkless.org

unread,
May 22, 2007, 6:08:44 AM5/22/07
to
[Didn't receive a robomoderation "RECEIVED" message for this post (or
anything else). Trying again.]

Herb Oxley wrote:
> > I hope you can do something about this. :-( As of right now I'm of
> > course ceasing use of APEWS, since it incorrectly marks me as a spammer.
>
> If you're a long time former SPEWS user you should know SPEWS took a
> meat-ax approach to spam blocking and APEWS ( and to a lesser extent
> UCEPROTECT ) is run along the same lines.

Actually, I didn't know that. I started using the Spam Prevention
Early
Warning System when its philosophy (still listed in the intro on
<http://www.spews.org/>) matched its name:

Most spam advisory and blocking systems work after the fact.
There
is a time lag between the spammer setting up shop, spamming

millions, and getting netblocks listed by these systems. SPEWS


identifies known spammers and spam operations, listing them as
soon
as they start, sometimes even before they start spamming.

It was targeting "spammmers and spam operations", not (legitimate)
ISPs. Perhaps it got a lot more aggressive over the years, drifting
from its core philosophy, and it would seem APEWS has gone even
farther
down that road.

I was not aware of SPEWS (or until now, APEWS) blocking legitimate
mail,
and periodic tests of IPs I'd received non-spam mail from in the past
didn't trigger SPEWS/APEWS matches. I take a "least blocking"
approach
with my use of DNSBLs and was only using SPEWS/APEWS on my most
spam-tainted email aliases (e.g. the one I'm posting this article
from),
though, so I guess if SPEWS/APEWS ever blocked legitimate mail to
those
aliases, the correspondents just gave up at that point (a situation I
very much like to avoid).

> Note that SPEWS used /18 as the biggest block.

Yes, the /11 APEWS is blocking in this case is certainly a lot more
aggressive.

> Those who use APEWS will have to learn how to whitelist "good" senders
> such as yourself or they they will lose too much email they
> really want to receive.

It doesn't seem like there's a good DNSWL that's affordable for people
who aren't sending out email as part of a business. There's
<http://www.senderscorecertified.com/>, for instance, but it requires
a
$400 application fee even from non-profit organizations. It would be
cool if someone started a more community-based whitelist (perhaps
using
techniques similar to the PGP "web of trust").

> As I have posted before I think the majority of SPEWS users were
> outside the USA, where they would be less likely to receive valid mail
> from uSA internet address blocks.

Interesting. I didn't know that. In any case, thanks for your
constructive
reply.

--

use...@harkless.org

unread,
May 22, 2007, 7:22:20 AM5/22/07
to
On May 21, 4:08 pm, Phil Howard wrote:
>
> I believe you will find that pretty much all DSL and cable providers
> fall into the same category: they skimp on costs they should bear the
> burden for, as I detailed, which passes those costs on to the victims
> of the abuses from their network they fail to control.
>
> I share your concern about shared hosting. I wouldn't go that route.
> But somehow you need to move up out of the rut you are in, and it is
> very likely that no DSL/cable options will achieve that.
>
> How much of your traffic is outbound email?

I don't have detailed stats at hand, but yeah, probably not that large
a percentage. I don't monitor how much bandwidth my users (friends
and family) use, though, and they may be using "email as a file
transfer protocol" for large files. I would hate to have to restrict
them.

> Another option, if that
> traffic level is smaller, is to get an ISDN or dialup service from a
> different provider. Otherwise, finding a colocation or dedicated
> hosting provider remains your big option.

I like my email to go out as instantly as possible (another reason I
don't like having to take an unnecessary hop through ISP mailservers),
so dialup wouldn't be a good solution. ISDN from someone other than
my phone company? I didn't realize that was possible. Tried to do
some searching just now and I'm not seeing any such providers. AT&T
requires you to call if you're ordering ISDN and doesn't list prices
online, but last I knew, several years ago, ISDN was a lot more
expensive than DSL (despite the much slower speeds). If that's still
the case, co-lo or dedicated hosting would seem a better use of money.

> I'm not expecting any lists that list big provider blocks to be cutting
> any holes. If they do, they would have to for everyone else who makes
> the same claims as you do, and there is a huge list of that. They would
> end up having to expend a huge cost burden to carry out verifications of
> such requests.

The dynablock.njabl.org (recently deprecated in favor of:),
pbl.spamhaus.org, dul.dnsbl.sorbs.net, and dhcp.tqmcube.com DNSBLs
(and others, I believe) all list large ISP netblocks yet provide the
ability for server owners to get their IPs excluded. It appears
they've been able to successfully manage the potential costs of the
verification (e.g. through automation).

> Charging to be exempted from such a listing would sure
> be seen as a conflict of interest, and possibly illegal.

I note that uceprotect.net charges to be removed, but that's only if
you want to be removed immediately, and their system drops entries
automatically after 7 days (assuming no more spam from an IP hitting
the spamtraps).

> Otherwise it is just entirely impractical to do that.

Apparently it's not -- see the DNSBLs I mentioned above (which do not
charge for removal).

> What I am doing with my own lists (not publically available right now)
> is listing by domain NAME, rather than IP address. The effect of such
> a list is that your correctly rDNS'd addresses would not be affected
> unless and until your own domain somehow got listed. If those who have
> the resources to operate a worldwide public DNSBL were convinced to run
> a list that used names like that, maybe it would become more popular
> to use instead of lists based on IP address. So maybe you might want
> to take the position of supporting that concept.

At first blush, that sounds like RHSBLs, which are indeed offered by a
number of public providers. Of course the problem with them is that
spammers can evade them by forging the envelope From domain and not
all domains publish SPF (or similar) records to deal with the forging
problem.

But since you mention rDNS, perhaps you're talking about a list that
checks to see if the IP address of the sending SMTP server resolves to
a domain that's listed? How do you deal with forged rDNS? Require
reverse and forward lookup to match? How do you allow for virtual
hosting on the same IP? And what about spammer servers that have no
rDNS? Also, do you only support domain names, or full hostnames? If
the former, I guess you have no way of listing one rogue server inside
verizon.net without blocking the entire domain?

> | I dunno, other DNSBLs are able to make IP exceptions work. It's
> | generally pretty automated.
>
> How do they verify that a request for exception is valid (e.g. does not
> meet the criteria that the rest of the large enclosing subnet does meet)?

I'm not sure -- not all of them publish exactly how it works (perhaps
to help avoid abuse). Here's what the SORBS DUHL requires:

We also operate a self-help exclusion interface that allows the
owner of a system to quickly exclude a single IP address (or, in
some cases, multiple IP addresses) from the DUHL. For this to
be possible, the following criteria need to be met:

* The MX record of a domain needs to contain a host name
that maps to the IP address involved. The Time to Live of
the MX record needs to be at least 43200 seconds.
* The A record for the host name needs to have a TTL of at
least 43200 seconds.
* The reverse DNS PTR record for the IP address involved
needs to map back to the name given in the MX record,
and to have a TTL of at least 43200 seconds.
* If there are multiple MX entries, these rules apply to them
all.

No doubt they also have stuff in place to block exclusion requests if
the requester is found to be spamming.

> | I would be supportive of that if the processing fee were reasonable. I
> | don't think senderscorecertified.com's $400 application fee for
> | non-profit organizations is reasonable.
>
> That seems a bit high to me. But I don't know what they do with it.
> How well recognized are they in the anti-spam community?

I'm not sure -- I only recently became aware of them. They were
formerly known as Bonded Sender. I would imagine they're not that
well recognized in the community since they're clearly primarily a
commercial service.

> Can anyone use a DNS based service from them for free?

According to <http://www.senderscorecertified.org/senderscorecertified/
howmuch.php>, yes.

dnswl.org, which I discovered afterwards, looks like a better bet for
community adoption (e.g. due to free listing). No idea if they'll be
able to keep up with the whitelisting demand with their volunteer
staff, though. I've submitted a listing request -- we'll see how long
it takes for them to respond in some way.

> Find a provider that fully understands APEWS (and SPEWS).

Sounds easier said than done. Even if such providers are around, I
probably won't usually be able to get access to the people on staff
who have that understanding.

> Talk with the
> candidate providers about this and see what they say. Be sure to avoid
> those who say things like "we can't control who lists us where" as that
> can either be weasling to avoid a commitment they know they cannot make,
> or just plain ignorance about the whole issue. Ask for a contract that
> states that during any time either your IP space, or any other space at
> least /24 in size, is listed in APEWS (or any other list you itemize and
> agree to in the contract), then you cost is reduced to some substantially
> low percentage, and the contract cannot be terminated early by them during
> that period (unless they can show you were the spammer, which we assume
> is something they will never be able to do).

It's an interesting thought, but I really doubt I'd have the leverage
to get them to agree to that kind of risk ("What, some faceless entity
that can't be contacted lists some IP space that includes us on some
whim and you no longer have to pay us enough to cover our costs? I
don't think so."), especially since I'd of necessity have to go with
one of the lower-cost providers (and packages).

--

use...@harkless.org

unread,
May 22, 2007, 8:17:21 AM5/22/07
to
[Didn't receive a robomoderation "RECEIVED" message (or anything else)
for this post. Trying again.]

E-Mail Sent to this address will be added to the BlackLists wrote:
> > A whole lot of non-spamming small businesses and techies
> > that prefer to run their own mailservers (e.g. for better
> > spam control) can no longer send mail to the APEWS-using
> > world.
>
> Except for those whitelisting sources of messages they
> want / need / expect.

Unfortunately there isn't a general way to know who to expect messages
from when you run a public website.

As for the whitelisting, I did just discover http://www.dnswl.org/
while
writing this post. Sounds like they have a pretty good approach,
although you have to do some digging to figure out how to get added
and
what information they want from you. I'll go ahead and request an add
of my server and start figuring out how to get my DNSBL software
working
with their whitelist. Hopefully they'll gain enough momentum that
DNSBL
users will start widely using them.

> > APEWS folks, would you please consider either removing
> > static IP address ranges from this block (not sure what
> > they are -- I don't know if AT&T publishes that info
> > publically), or else adding the ability for legitimate
> > non-spamming server owners to request removal of their
> > specific IPs, as many other prominent DNSBLs do?
>
> Which DNSbls would those be, that are accepting request for
> and delisting single IPs inside a BlackListed CIDR
> based on requests by an enduser?

I don't know the internals of all the DNSBLs I use, so I don't know
which of these use CIDRs and which don't (although where I do know
that
I'll make note of it), but here are ones that allow a non-spamming
server administrator to request removal:

list.dsbl.org -- http://dsbl.org/removalquery

njabl.org -- http://www.njabl.org/remove.html and formerly
http://www.njabl.org/dynablock.html. I see that NJABL dynablock is
now deprecated in favor of the Spamhaus PBL. I wish more DNSBLs
would
run -announce mailing lists so their users could be notified when
they're being shut down or otherwise significantly changed. In any
case, pretty sure this one was an example of a DNSBL that allowed
for
exceptions within larger netblocks.

ix.dnsbl.manitu.net -- http://ix.dnsbl.manitu.net/

psbl.surriel.com/remove -- http://psbl.surriel.com/remove

sorbs.net -- Varies by list, but they definitely provide the ability
to
get your IP excluded from a larger netblock in the
dul.dnsbl.sorbs.net
DNSBL -- see <http://www.au.sorbs.net/faq/dul.shtml>.

spamhaus.org -- http://www.spamhaus.org/lookup.lasso (removal button
on
results page). This would be another one that I know allows removal
of individual IPs within larger netblocks (with their PBL list, at
least -- see <http://www.spamhaus.org/pbl/index.lasso>).

tqmcube.com -- http://tqmcube.com/dnsbl/dnsbl_remove.php. This is
another one that documents that it allows exceptions for static IPs
within dynamic netblocks -- see <http://tqmcube.com/generic.php>.

> I don't see what good that would do, don't you think
> e.g. 71.156.118.0/23 would be requesting a delisting,
> so their messages would go through?

A lot of good DNSBLs seem to be able to offer delisting interfaces
despite the fact that spammers have an incentive to misuse them.
That's
pretty easily handled by, for instance, banning further delisting
attempts by known spamming IPs. My server does not send out spam.

> Origin: AS7132
> Route: 71.128.0.0/11
> NetRange: 71.128.0.0 - 71.159.255.255
> NetName: SBCIS-SIS80
> NetType: Direct Allocation
> OrgName: SBC Internet Services
> OrgID: SIS-80
> NameServers: NS1.PBI.NET , NS2.PBI.NET
> Comment: pacbell.net / swbell.net / sbc.com / sbcglobal.net / att.com
>
> CIDR: 71.133.223.216/29
> NetRange: 71.133.223.216 - 71.133.223.223
> NetType: Reassigned
> CustName: Daniel Harkless
>
> Those seeing abuse related to that IP space would likely be
> sending messages to e-mail addresses that would be delivered
> to your ISP, not you; What does your ISP do when they get
> complaints related to that IP space?

No doubt the terms of use indicate that they would contact me and/or
immediately shut off my access, but as to how good they are about
enforcing that, I'm unaware. I know they've turned off my DSL line
before when I was a little late paying my bill (under a month), so
they
definitely have the ability to do that.

> FYI, <http://www.spamhaus.org/statistics/networks.lasso>
> The 10 Worst Spam Service ISPs As at 20 May 2007
> Rank Network Number of Current Known Spam Issues
> 1 verizon.com 75
> 2 _ATT.net_ 56 (27 are known professional spam operations)

Okay, I didn't realize they had gotten that bad. Thank you for that
info.

> Those links above are in that AS7132 , 71.128.0.0/11 Direct
> Allocation to your ISP, I wonder what they will say about
> that when you ask them about those, and why they are #2
> in SpamHaus top 10 worst ISPs.

Given the usual quality of customer service at ISPs, I find it
doubtful
I'll get any useful reply -- but I'll ask. Thanks.

> Cute rDNS for that 71.133.223.216/29 SWIP
> 216.223.133.71.in-addr.arpa-> NXDOMAIN
> 217.223.133.71.in-addr.arpa -> a.example.com -> NXDOMAIN
> 218.223.133.71.in-addr.arpa -> b.example.com -> NXDOMAIN
> 219.223.133.71.in-addr.arpa -> c.example.com -> NXDOMAIN
> 220.223.133.71.in-addr.arpa-> d.example.com -> NXDOMAIN
> 221.223.133.71.in-addr.arpa -> MX harkless.org -> 71.133.223.221
> 222.223.133.71.in-addr.arpa -> dumont.harkless.org -> 71.133.223.222
> 223.223.133.71.in-addr.arpa -> NXDOMAIN
> {Just playing with the rDNS PTRs?}

The only system that sends out mail is harkless.org, and it of course
has a correct rDNS pointer. The others are only client machines
(doing
web browsing), and for privacy reasons I did not wish to gratuitously
identify myself in the weblogs of the world.

> FYI, IANA / ICANN is resolving some example.coms to IPs,
> and vise versa, e.g. example.com -> 208.77.188.166
> 166.188.77.208.in-addr.arpa -> www.example.com
> www.example.com -> 208.77.188.166

RFC 2606 specifies that example.com, .net, and .org are reserved as
example domain names.

--

phil-new...@ipal.net

unread,
May 22, 2007, 8:21:17 AM5/22/07
to
On Tue, 22 May 2007 10:07:48 GMT use...@harkless.org wrote:

| Their goals include wanting people to find them a useful anti-spam
| DNSBL
| without an unusable level of false positives. I used to consider them
| to be that, but as of now, do no longer. I would imagine some others
| (if not those folks who responded to my post in this group) may now
| feel
| the same, considering they're now listing huge /11 networks.

This is something frequently said about SPEWS. Given the similarity of
APEWS, I believe there may be similar goals here. An objective of the
DNSBL is to create an incentive to the ultimate controlling entity, the
ISP, to clean up their act and reduce the overall level of spam coming
through their network. Since this is a corporation that is motivated
only be profit and financial growth, any incentive mechnism must work
by influencing that motivation in a legal way. A major part of that
would be to convince customers that they, even though they are not
involved in the spam, need to quit being a customer of that provider.
At some point, the numbers would convince the executives of the provider
that they meet their own goals best by cleaning up the spam problem.
Those customers who stay with the provider are effectively communicating
the message "I do not care if you allow others to let spam through, I am
a loyal customer and will stay with you through to the bitter end". With
customers like that, why would they ever do anything to reduce spam, much
less stop it?


|> >As of right now I'm of course ceasing use of APEWS,
|>
|> There is no "of course". You are certainly free to cease using a DNSBL
|> for whatever reason you wish,
|
| Yes, there is an "of course" -- if I feel they're taking way too blunt
| an approach by listing a /11 that I fall into, then of course I won't
| want to use them any longer for my anti-spam needs either.

But if theu list some other /11 that you do not fall int, that's OK?

And what of those who feel that since AT&T is doing so little to stop or
reduce spam, that they should de-peer the AT&T network entirely?


|> but you're hurting only yourself.
|
| I don't use DNSBLs with an unreasonably high level of false positives

You'd rather just block the spam, but leave all the attempts to send spam
running so your mail server is constantly pounded by SMTP connections that
are going to just get rejected?

Me? I'd rather get the provider to shut down the spamming.

Make it stop!


| it would hurt me more to keep using APEWS at this point than to stop.

It would hurt you least to move on to another provider for, at minimum,
your outbound email, and continue as a participant in the campaign to get
spammers shut down by their providers.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-200...@ipal.net |
|------------------------------------/-------------------------------------|

--

phil-new...@ipal.net

unread,
May 22, 2007, 8:23:17 AM5/22/07
to
On Tue, 22 May 2007 10:08:44 GMT use...@harkless.org wrote:

|> If you're a long time former SPEWS user you should know SPEWS took a
|> meat-ax approach to spam blocking and APEWS ( and to a lesser extent
|> UCEPROTECT ) is run along the same lines.
|
| Actually, I didn't know that. I started using the Spam Prevention
| Early
| Warning System when its philosophy (still listed in the intro on
| <http://www.spews.org/>) matched its name:
|
| Most spam advisory and blocking systems work after the fact.
| There
| is a time lag between the spammer setting up shop, spamming
| millions, and getting netblocks listed by these systems. SPEWS
| identifies known spammers and spam operations, listing them as
| soon
| as they start, sometimes even before they start spamming.
|
| It was targeting "spammmers and spam operations", not (legitimate)
| ISPs. Perhaps it got a lot more aggressive over the years, drifting
| from its core philosophy, and it would seem APEWS has gone even
| farther
| down that road.

Who said it was not targeting ISPs? The name itself certainly does not.
In fact that name suggested to me the very possibility that it would
target ISPs that were host to spammers (and spam leakers). It was
giving me an early warning that spammers could easily and readily pop
up anywhere in a certain IP range owned by a certain ISP.


|> Note that SPEWS used /18 as the biggest block.
|
| Yes, the /11 APEWS is blocking in this case is certainly a lot more
| aggressive.

I'm not yet sure what APEWS is really doing, but if I had run either of
these operations, it would have ended up blocking whatever the ISP had
as soon as a certain threshhold of spamming was met. One possible idea
I personally had was to identify the top 100 ISPs that let spam come
through their network, and keep those top 100 fully listed.

Note that "listed" does not necessarily mean "blocked". It can just as
easily mean "subject to greater scrutinty".


|> Those who use APEWS will have to learn how to whitelist "good" senders
|> such as yourself or they they will lose too much email they
|> really want to receive.
|
| It doesn't seem like there's a good DNSWL that's affordable for people
| who aren't sending out email as part of a business. There's
| <http://www.senderscorecertified.com/>, for instance, but it requires
| a
| $400 application fee even from non-profit organizations. It would be
| cool if someone started a more community-based whitelist (perhaps
| using
| techniques similar to the PGP "web of trust").

How much do you think it would cost for YOU to carry out the investigation
of an application to be whitelisted? I don't think it would be anywhere
near $400. But what would it be, especially if you were doing this as your
only source of income? Would you personally alone be able to keep up with
the pace of applications, or would it be necessary to set up a business and
hire people to do this? Now what would it cost? Oh, and you need to hire
a bunch of lawyers, because you will end up being sued by some spammer, so
add more to the cost to cover that. Hmmm. That $400 doesn't look like it
is so far off, now.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-200...@ipal.net |
|------------------------------------/-------------------------------------|

--

Mike Andrews

unread,
May 22, 2007, 10:25:16 AM5/22/07
to
On Mon, 21 May 2007 18:41:00 GMT, Dan Harkless <use...@harkless.org> wrote in <1um4i.22816$JZ3....@newssvr13.news.prodigy.net>:

> Since I'm not omniscient, I can't really answer that, but my local
> providers are Cox cable and AT&T DSL. Last time I looked into it, Cox
> didn't support the running of servers. I know it would be possible to
> get DSL through another provider and have AT&T just providing the phone
> line, but when I had that kind of service in the past (Covad via SBC),
> it was a nightmare when there were service problems since Covad and SBC
> would just point the finger at each other and I couldn't get the
> problems fixed.

I have Cox cable, and they support running servers on my account. It
is a _commercial_, not a residential, account. The price is the same,
I have a static IP, the folks at Cox were very good about setting up
the RDNS for me, and I get better service from the commercial helldesk
than I ever did from the residential helldesk.

For a while, I also had SBC DSL to another network in the house, but I
got sick-and-tired of it not working and SBC not giving a damn, and so
now it's all Cox.

If you can get a commercial account from your branch of Cox, you ought
to give that option very serious thought -- and especially so if the
price delta is small.

--
Mike Andrews, W5EGO
mi...@mikea.ath.cx
Tired old sysadmin


======================================= MODERATOR'S COMMENT:

very good advice - and we're moving away from blocklisting, so
hopefully this thread is at an end

use...@harkless.org

unread,
May 22, 2007, 10:37:03 AM5/22/07
to
[Didn't receive a robomoderation "RECEIVED" message (or anything else)
for this post. Trying again.]

Claes T wrote:
>
> Could you please clarify why you as an anti-spam activist gives your
> last dimes to the isp giving more service to spammers then any other
> isp but Verizon? Did you at least talk with your kind AT&T salesman
> or support about this? What did s/he say? Are they planning to be out
> of the top-ten-worst list before summer? Before end of year? (if so,
> before end of *what* year?) Before sun (not Sun) dies?

I don't have a good alternative to AT&T DSL. As for grilling them
about
their apparent lack of strong spam enforcement, I doubt they'll give
me
a useful reply, but you're right, I should ask.

> But perhaps you could talk with some of your anti-spam customers,
> asking them to let you smarthost your mail with them, maybe even for
> free if they like your software?

I don't have any customers -- harkless.org is a personal site hosting
open source software, etc.

--

Seth

unread,
May 22, 2007, 2:29:28 PM5/22/07
to
In article <1179811720.8...@p77g2000hsh.googlegroups.com>,
<use...@harkless.org> wrote:

>It was targeting "spammmers and spam operations", not (legitimate)
>ISPs.

They apparently take the attitude that a legitimate ISP does not allow
(or retain) spammers as customers. Therefore, an ISP that emits spam
for an extended period is not legitimate, and the likelihood of the
rest of its IP space being infested by spammers is much higher than
for elsewhere.

Seth

E-Mail Sent to this address will be added to the BlackLists

unread,
May 22, 2007, 2:54:58 PM5/22/07
to
use...@harkless.org wrote:
> RFC 2606 specifies that example.com, .net, and .org are
> reserved as example domain names.

For documentation & private testing.

I'd say you using them as rDNS PTRs for publicly routable
(internet IPs) isn't very private.

--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.

Cameron L. Spitzer

unread,
May 22, 2007, 3:02:16 PM5/22/07